Understanding Virtual Server Port Forwarding
Virtual Server Port Forwarding, commonly referred to as port forwarding, is a networking technique that directs external traffic from the internet to specific devices or services within a local network. It allows external devices to communicate with a specific device or service inside a private network by mapping an external port to an internal IP address and port.
How Port Forwarding Works
- Router Configuration: Port forwarding is configured on the router. When an external request reaches the router on a specific port, the router forwards this request to a pre-defined internal IP address and port within the local network.
- Port Mapping: The external port is mapped to an internal port. For example, a request on port 8080 might be directed to port 80 on an internal web server.
- Traffic Direction: Incoming traffic on the specified port is redirected to the designated internal device or service, enabling access to internal resources from the external network.
Benefits of Port Forwarding
- Remote Access: Allows users to access internal services remotely, such as a home server, security camera, or gaming server, enhancing the flexibility and utility of these services.
- Enhanced Security: By specifying which ports are open and where they are directed, port forwarding can help manage and limit access to internal resources, reducing exposure to potential security threats.
- Efficient Use of IP Addresses: Port forwarding enables multiple services to run on a single public IP address by using different ports, conserving IP address usage.
- Improved Performance: By directing specific traffic directly to the intended device, port forwarding can improve the performance of network services and reduce latency.
Real-life Examples of Port Forwarding
- Gaming Servers: Gamers often use port forwarding to host game servers, allowing other players to connect to their gaming console or PC from the internet. For instance, forwarding port 3074 for Xbox Live or port 25565 for a Minecraft server.
- Remote Desktop Access: Users can set up port forwarding to access their home computer or office workstation remotely via Remote Desktop Protocol (RDP) by forwarding port 3389.
- Security Cameras: Homeowners can monitor their security cameras remotely by forwarding the relevant ports, typically port 8080 or 554 for RTSP streams, to the camera's IP address.
- Web Hosting: Small businesses or individuals can host their own websites on a home server by forwarding port 80 (HTTP) or port 443 (HTTPS) to the internal web server.
- FTP Servers: Port forwarding can be used to set up an FTP server at home, allowing file access from the internet by forwarding ports 20 and 21.
In this example, we will configure access to our switch from the WAN through port 1040.
First start by logging in to the device via Web GUI
Configuration > Network > NAT and create a new rule by clicking on the "Add" button
Then fill in all required fields.
- Enable NAT rule
- Give a name that captures the essence of the rule
- Select the port mapping type to "Virtual Server"
- Incoming interface to WAN
- Source IP to Any
- External IP - use your external IP
- Internal IP - specify the ip address to which access is required
- Port Mapping Type - specify an external port and an internal port
- Enable NAT loopback
- Apply all changes
NAT loopback is used inside the network to reach the internal server using the public IP. Check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)
Then create a Policy Control rule:
The first thing we'll do is create a service object for our device, which we'll need to create a security policy.
Object -> Address -> create new Object(address type "Host") by clicking on the "Add"
- Give a clear name to the object
- Specify the IP address of your device
- Click “Apply”
Now add the firewall rule itself to allow NAT (Port Forwarding)
Security Policy > Policy Control and create a new rule by clicking on the "Add" button
Then you can fill in all required fields.
- Enable policy
- Give a name that captures the essence of the rule
- From - WAN
- To - LAN
- Source - Any
- Destination - Select the object created in the previous step
- Service - HTTPS
- User - Any
- Action - allow
- Apply all changes
You can just open a browser and type in the WAN IP of your USG and the configured port. Now the NAS is behind the USG and reachable through port forwarding.
For example, one of our devices is available: Zyxel Switch XS1930-10